Merge "Create Octavia policy roles and legacy admin-owner rules"

This commit is contained in:
Zuul 2017-12-05 08:03:15 +00:00 committed by Gerrit Code Review
commit 25f3446fab
5 changed files with 75 additions and 1 deletions

View File

@ -16,7 +16,7 @@
## Verbosity Options
debug: False
## Octavia stnadalone (v2) experimental
## Octavia standalone (v2) experimental
octavia_v2: false
## Activate Octavia V1 API
@ -25,6 +25,13 @@ octavia_v1: True
## Allow TLS listener
octavia_tls_listener_enabled: True
# Legacy policy disables the requirement for load-balancer service users to
# have one of the load-balancer:* roles. It provides a similar policy to
# legacy OpenStack policies where any user or admin has access to load-balancer
# resources that they own. Users with the admin role has access to all
# load-balancer resources, whether they own them or not.
octavia_legacy_policy: False
# Set the package install state for distribution and pip packages
# Options are 'present' and 'latest'
octavia_package_state: "latest"

View File

@ -84,6 +84,11 @@
tags:
- octavia-install
- include: octavia_policy.yml
tags:
- octavia-install
- octavia-config
- name: Flush handlers
meta: flush_handlers

50
tasks/octavia_policy.yml Normal file
View File

@ -0,0 +1,50 @@
---
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create load-balancer_observer role
keystone:
command: "ensure_role"
endpoint: "{{ keystone_service_adminurl }}"
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
region_name: "{{ octavia_service_region }}"
service_name: "{{ octavia_service_name }}"
service_type: "{{ octavia_service_type }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
role_name: "{{ item }}"
register: add_role
until: add_role|success
retries: 5
delay: 10
with_items:
- load-balancer_observer
- load-balancer_global_observer
- load-balancer_member
- load-balancer_admin
- load-balancer_quota_admin
- name: Set legacy role policies
config_template:
src: policy.json.j2
dest: /etc/octavia/policy.json
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
config_overrides: "{{ octavia_policy_overrides }}"
config_type: "json"
notify:
- Restart octavia services
when: octavia_legacy_policy

11
templates/policy.json.j2 Normal file
View File

@ -0,0 +1,11 @@
{
"context_is_admin": "role:admin or role:load-balancer_admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"load-balancer:read": "rule:admin_or_owner",
"load-balancer:read-global": "is_admin:True",
"load-balancer:write": "rule:admin_or_owner",
"load-balancer:read-quota": "rule:admin_or_owner",
"load-balancer:read-quota-global": "is_admin:True",
"load-balancer:write-quota": "is_admin:True"
}

View File

@ -53,6 +53,7 @@ octavia_service_project_domain_id: default
octavia_service_user_domain_id: default
octavia_service_user_name: "octavia"
octavia_ansible_endpoint_type: "internal"
octavia_legacy_policy: True
octavia_health_hmac_key: secrete